That's a very impressive answer. I just have something to add to the Final Thought regarding laptop users:
I think it would be important to keep in mind that if someone steals a laptop and is able to brute force the password or are able to log on as you by some other means, they will also be able to decrypt your data, unless you delete your certificate before logging/powering off. Also, it's generally a best practice to encrypt at the folder level, so that any files or folders contained within are also encrypted automatically. Lee -----Original Message----- From: Stephen Tefu [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 26, 2006 12:01 PM To: Larry; [email protected] Subject: RE: EFS rollout using Active Directory You can implement EFS on systems running Windows 2000 and Windows XP Professional Edition. Windows 95/98, Windows Millennium Edition, and Windows XP Home Edition do not support EFS. Before implementing EFS to protect your corporate data, you need to create a recovery key. Make sure you keep a backup copy of the Encrypted Recovery Agent (ERA); this is your insurance policy to decrypt files throughout your domain. Stand-alone workstations generate their own public key certificate that you can use for EFS. However, in a domain environment, you'll need to create an ERA before enabling EFS. After creating the ERA, back it up to a media format that you can protect under lock and key. To create an ERA, follow these steps: Go to Start | Programs | Administrative Tools | Active Directory Users And Computers. (If you have a stand-alone system, go to Start | Control Panel | Administrative Tools | Local Security Policy, and skip to Step 4.) Right-click your domain, and select Properties. On the Group Policy tab, select the Default Domain Policy, and click the Edit button. Go to Computer Settings | Security Settings | Public Key Policies | Encrypted Data Recovery Agents. Right-click the policy, and select New | Encrypted Recovery Agent. Use the wizard to add the recovery agent certificates to the policy. After creating the certificate, right-click the certificate, select Export, and use the Certificate Export Wizard to export your certificate to some other physically securable media (e.g., CD, floppy, etc.). After the policy refreshes, all users on your domain will be able to safely encrypt the contents of their files or folders. Encrypting a file or folder is relatively easy. Follow these steps: In Windows Explorer, right-click the file or folder you want to encrypt, and select Properties. In the Encrypted Files Properties dialog box, click Advanced on the General tab. Select the Encrypt Contents To Secure Data check box, and click OK twice. Make sure you have a copy of your users' certificates to use for emergency decryption in the event of workstation rebuilds. Keep in mind that you can't encrypt compressed files or folders. Marking a file or folder for encryption will automatically uncompress the file or folder. In addition, copying or moving a file to a non-NTFS volume will automatically decrypt it. Final thoughts It's a good idea to implement EFS in phases after your users have a certificate and you have a good backup copy of that certificate locked in a drawer. You can expect your biggest boost in security to come when you implement EFS for laptop users. If a user loses a laptop, but he or she encrypted data with the domain account, that data will remain secure. -----Original Message----- From: Larry [mailto:[EMAIL PROTECTED] Sent: 26 April 2006 03:28 PM To: [email protected] Subject: EFS rollout using Active Directory Greetings: Does anyone have a procedure for implementing Microsoft EFS using Active Directory ? I have to roll EFS out to 2000+ laptops and would like to implement using Active Directory, but I don't have a lot of experience with AD. Thanks /LC --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
